skip to main content
Caltech
Information Management Systems and Services
IMSS  /  Services  /  Information Security  /  Security for IT Staff  /  Creating SSH keys

Creating SSH Keys

For many years the most common format for ssh keys has been RSA. If you need to continue to use RSA for maximal compatibility with the systems you use, please make sure your RSA key is at least 2024 bits in length. You can determine the length of your current key using the following command:

ssh-keygen -l -f ~/.ssh/id_rsa

The number at the start of the line is the length of your current key.

If you are generating a new key, you might want to consider 3072 or 4096 bits.

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "[email protected]"

Newer SSH key types

IMSS recommends using ECDSA and NIST-P384 for new keys. ECDSA is widely adopted and allows for the same or better security than RSA keys but with smaller key sizes.

NOTE: 1Password does not currently support saving ECDSA type keys in their "SSH Keys" template but you can save them as "Secure Notes" instead.

Mac or Linux

To create a new key on Linux or Mac, use the following command and be sure to use a passphrase of reasonable length and complexity:

ssh-keygen -t ecdsa -b 384 -f ~/.ssh/id_ecdsa -C "[email protected]"

Please be sure to keep your private key private. As a reminder, the permissions for your .ssh directory should be "drwx------" and your key should be "-rw-------". The public half of your key can be readable, e.g. "-rw-r--r--".

Windows

For Windows users, the command is similar but the default file location is a little different:

cd c:\users\%username%\.ssh
ssh-keygen -t ecdsa -b 384 -f id_ecdsa -C "[email protected]"

Windows users should not have to change the directory or key permissions after running that command. But if you need to verify the permissions, you can use the "icacls" command. The permissions should be as follows:

  • On the private key, id_ecdsa:
    • user has Modify NTFS permissions;
    • Administrators and SYSTEM have FULL NTFS permissions.
  • On the public key, id_ecdsa.pub:
    • EVERYONE has Read NTFS permissiosn;
    • user has Modify NTFS permissions;
    • Administrators and SYSTEM have FULL NTFS permissions

Generating SSL Keys

Keys used for SSL certificates should follow the same guidelines we give for SSH keys:

  • RSA keys should be at least 2024 bits long; preferably 3072 or 4096 bits long
  • Where possible, create new keys using ECDSA or NIST-P384

To create an SSL key using OpenSSL, use the following command to create the private key you will use with your SSL certificate:

openssl ecparam -name secp384r1 -genkey -noout -out thePrivateKey.pem

The "-name secp384r1" argument is used to specify NIST's currently recommended algorithm for creating new keys.